16 May 30, 2013 FCW.COM
"IT says yes only after all variations
of no are disproved," said a VA source
who works in OIT. "Our IT managers
are increasingly self-serving and barely
grasp the mission of the VA anymore.
We call it trench warfare mentality
or circling the wagons. Say no until
all options precluding yes have been
exhausted."
Another source who spoke to FCW
on background admitted that OIT s
shortcomings were significant but
defended its progress under CIO Roger
Baker, who stepped down early this
year and is now chief strategy of cer
at Agilex.
That source, who worked at VA dur-
ing Baker s four-year tenure, said VA
"got its priorities straight, making sure
strategy matched budget allocations"
through the use of the Project Manage-
ment Accountability System (PMAS),
an IT dashboard that the Office of
Management and Budget has used as
a template for governmentwide use.
"The organization Roger inherited
was broken, dysfunctional, screwed
up, you name it," the source said. "We
made a lot of progress in the de cient
areas [mentioned by Deloitte], and
Roger did a lot of it, but that doesn t
mean there isn t still more to do."
Yet several former VA of cials were
not impressed with the department s
progress even as leaders like Baker
were lauded for their work in the past
four years.
"During the time of Steph [Warren]
and Roger [Baker], the inventory of
positive accomplishments would start
with PMAS," one such of cial said. "By
my count, that s where it would end."
The tech issues
In early March, VA s IT operations once
again got caught in the watchdog cross-
hairs. VA admitted to security viola-
tions that potentially exposed infor-
mation to hackers and misuse. The
department was using an unencrypted
telecommunications carrier network to
transfer sensitive data, including veter-
ans EHRs and internal IP addresses,
among certain VA medical centers and
outpatient clinics.
OIT leaders said they had accepted
the security risk of the potential loss
or misuse of the sensitive informa-
tion. Baker and Dr. Robert Petzel, VA s
undersecretary for health, had signed
security waivers to "delay implement-
ing encryption controls in the near
term, while acknowledging the risks
associated with the lack of technical
con guration controls," the IG report
states.
VA s OIT has been criticized in the
past for its lack of standardized pro-
cesses, but IT security holes are the
bigger threat, said one source with
extensive knowledge of OIT s secu-
rity protocols.
"Bandwidth is an active threat.
Hacking the medical record [system]
or establishing bastion hosts within
the perimeter is a potential threat for
which we have other safeguards," the
source said. "If the links get saturated,
however, we are toast. If Baker signed
a waiver, money was likely the driver."
The insider said Baker should not
shoulder all the blame because he had
"inherited a mishmash of varying vin-
tages bought with no strategic plan
when money was distributed" to the
Veterans Integrated Service Networks.
"We rarely put encryption devices on
those [systems] unless it was direct to
a medical provider, and even then...I do
not recall seeing anything more than
a rewall on most," the source said.
"Some encryption on point-to-point
links is built into the router, so I think
in cases where the data was de nitively
sensitive, we would turn that on. As to
end-to-end [hardware] encryption on a
[wide-area network] with so many end-
points? The scope is just mind-boggling
for me. I frankly do not think we will
Former CIO Roger Baker (left) and former Chief Technology Officer
Peter Levin (center) announced their departures within days of one
another in February. Several other senior agency leaders in the Office
of Information and Technology and elsewhere have left in recent
weeks as well. OIT's Principal Deputy Assistant Secretary Stephen
Warren (right) is now serving as acting CIO.
What's wrong at VA?